On November 25, 2017, Phil Pennock announced that the latest version of Exim fixed two vulnerabilities. These vulnerabilities can be exploited to start a remote code execution (RCE) attack, with a high level of security risk.

Remote attackers can craft BDAT commands to run arbitrary code on the SMTP server. The research personnel also publish the PoC code written by using Python. Anyone can run code on the vulnerable Exim server.

CVE-2017-16944

The remote attacker can force the code to run infinitely until the Exim server is suspended, even if the connection to the server is closed. This vulnerability is caused by the improper check on the mail end character ‘.’ when parsing the BDAT data header. The research personnel also provide the PoC code that causes the exhaustion and crash of the Exim server.

Condition and method of exploitation

The vulnerability can be remotely exploited through PoC.

PoC status

Published

Affected scope

Exim 4.88 and 4.89

Vulnerability detection

Check whether any affected version of Exim is used.

How to fix or mitigate

Add chunking_advertise_hosts= to the Exim configuration file. That is, set the chunking_advertise_hosts value to empty. This can disable ESMTP CHUNKING and BDAT, preventing the vulnerability from being exploited by attackers.

The latest version 4.89.1 has been released on the official website. Upgrade the software as soon as possible.

Introduction to Exim

Exim is a message transfer agent (MTA) developed by Philip Hazel at the University of Cambridge for the use of mail routing, forwarding, and delivering. It can run on most Unix-like systems, such as Solaris, AIX, Linux, and macOS. Compared with other MTAs, Exim is more flexible. It supports string expansion, and provides the functions such as condition judgment and character conversion.